Chaffetz Critiques OPM Cyber and Calls for Zero Trust Policies

Due to the breadth and depth of cyberattacks and breaches in the Federal government, most especially the Office of Personnel Management (OPM), agencies should be implementing a policy of zero trust when it comes to who is accessing their data, according to Rep. Jason Chaffetz, R-Utah.

“Zero trust is one of the things I like to think the private sector figured out a long time ago,” said Chaffetz. Zero trust operates under the principle of “never trust, always verify,” which means that trust is never assumed for any device or user on the system.

Chaffetz said the policy is like requiring elementary school students to carry hall passes when they leave the classroom. “The Federal government often operates without these hall passes.”

Chaffetz spoke about a report, titled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation” and recently released by the House Oversight and Government Reform Committee, of which Chaffetz is chair.

“This is one of the largest breaches in the history of the United States,” said Chaffetz, adding that the report found that there had been numerous red flags at OPM before and during the breach. “I believe that the breach of OPM is a defining moment in Federal cybersecurity.”

According to the report, OPM failed to implement two-factor authentication on important networks and only 1 percent of employees were required to use personal identity verification cards for authentication. They also failed to discover that the hackers were in their system as early as 2012, and that there was a second hacker altogether.

“Due to OPM’s failure to adequately log network activity, we will never know all of what was stolen,” Chaffetz said.

Though the report finds that OPM did contract private tools from Cylance and Cytech, through which “so much malware was found that it was said to have lit up like a Christmas tree,” according to Chaffetz, “the alarm didn’t sound until the damage was done.”

The report provides a critique of OPM’s leadership, saying that the damage could have been prevented and that OPM evaded revealing the true extent of the hack. It also offers some solutions to prevent future hacks.

“The lax state of OPM’s information security left the agency’s information systems exposed for any experience hacker to infiltrate and compromise,” the report said. “The agency’s senior leadership failed to fully comprehend the extent of the compromise, allowing the hackers to remove manuals and other sensitive materials that essentially provided a road map to the OPM IT environment and key users for potential compromise.”

“The report recommends that agencies move to adopt this zero-trust model,” Chaffetz said. “You should always assume that someone is in your system and that they’re nefarious.”

He also expressed concerns about the IT vulnerabilities in other agencies, joking that, “NASA can put a man on the moon but they can’t protect their email.”

He expressed particular concern over the agencies that collect large amounts of citizen data.

“The biggest vulnerability that I see out there right now? Department of Education,” said Chaffetz. He explained the department has approximately 180 databases, featuring personal grant information such as Social Security and financial data. “All of that is in one file and it’s housed at the Department of Education. And they have no two-factor authentication, they have no encryption.”

“It just does seem like one good trip to Best Buy would solve a lot of these problems,” said Chaffetz. “We’re talking about the basics, we’re not even talking about sophistication at this point.”